California Consumer Privacy Act (CCPA)
The information provided in this blog post does not, and is not intended to, constitute legal advice. Please consult with your own legal counsel on your situation.
What is CCPA?
The California Consumer Privacy Act (CCPA) is a new state privacy law that impacts most market research and data analytics companies, and covers almost all consumer data. The law applies to almost any kind of data, and in any form, not just to electronic/online data.
GDPR vs. CCPA
CCPA’s goal is to give California residents greater control over how organizations collect, use and disclose their personal data. Although there are some similarities with General Data Protection Regulation (GDPR), CCPA also introduces additional rights for consumers such as the right to opt out from allowing a business to sell their personal data. Certain CCPA requirements overlap with the existing GDPR requirements, but several policies, processes and systems will still need updating to address differences between the two laws.
Who does CCPA apply to?
The International Association of Privacy Professionals (IAPP) estimates that the new law “will apply to more than 500,000 U.S. companies, the vast majority of which are small- to medium-sized enterprises.”
Basically, CCPA covers for-profit companies “that collect consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
- Have greater than $25 million in annual gross revenue;
- Annually handle personal information for 50,000 consumers; or
- Derive half of annual revenue from selling consumers’ personal information.
The CCPA only imposes obligations on a business and not on service providers directly. As defined under the CCPA, a “service provider” is a for-profit entity “that processes information on behalf of a business.” If your company does not meet the requirements above to qualify as a business, your company may still be subject to the vendor management obligations that a business is required to impose on its service providers.
EXAMPLE: a company that falls within the scope of the CCPA must require by contract that their suppliers that process information on behalf of the company only retain, use, or disclose such personal information for the specific purpose of performing the services as specified in the contract.
Because many marketing research and data analytics companies (as well as our clients) will be covered by CCPA, it’s something to look into no matter where you are based. The only way to really avoid this law will be for a company to have nothing to do with data on a California resident (including a California employee, independent contractor or participant). That’s hard to avoid when doing nationwide research projects!
It’s tempting to think that your company is “too small to worry.” But while some small companies may not be covered, it still will be hard for them to escape the law’s reach.
EXAMPLE: a small recruiting company that recruits less than 50,000 individuals for other organizations’ studies would be subject to this law if recruitment (the sale of consumers’ personal contact and qualifications for a study to the recruiter’s clients) makes up half or more of its annual revenue.
What do I do to comply?
Businesses that fall under the scope of the CCPA will need to update data practices and procedures in order to comply with certain CCPA disclosure requirements. Businesses that fail to comply with the CCPA may be subject to “monetary penalties, regulatory enforcement actions, and private rights of action.”
Based on conversations with experts I’ve spoken to on the topic, there are a few things you should do/consider to ensure you are CCPA compliant:
- Meet with your lawyer to determine if you need to be CCPA compliant and what steps you need to take in order to do so.
- Consider updating your operating agreements, written information security program (WISP) and/or incident response plan (IRP).
- Review your company’s agreements with service providers to be sure you are up to date with their requirements.
Note that since the law went into effect on Jan. 1, 2020, there will be updates to it; keep abreast of changes here: https://oag.ca.gov/privacy/ccpa or subscribe to the mailing list here: https://oag.ca.gov/privacy/ccpa/subscribe
Katrina is principal of KNow Research, a full service insights consultancy specializing in designing custom qualitative insights projects for 16+ years to unlock insights about brands and target audiences. She is also co-founder of Scoot Insights, whose trademarked ScootTM Sprint approach helps decision-makers choose the right direction.